topic Re: Python tool for exporting/importing a policy package or parts of it in API / CLI Discussion

Python tool for exporting/importing a policy package or parts of it

Inbar_Moskovich — Wed, 26 Feb 2025 20:30:00 GMT

Overview

ExportImportPolicyPackage tool enables you to export a policy package from a R80.x management database to a .tar.gz file, which can then be imported into any other R8x management database.

This tool can be used for backups, database transfers, testing, and more.

In the case you are exporting a policy package from a CMA, please verify that a global policy was NOT assigned to that CMA.
The tool doesn't support exporting a policy with global policy assigned!

The tool is referenced in https://support.checkpoint.com/results/sk/sk180923

Description

This tool enables you to export a policy package (Access Policy, Threat Policy or both) from a management server into a .tar.gz file.

Notice

There are some types of objects that the script might not be able to export.
In such a case, an appropriate dummy object will be exported instead, and a message will be logged into the log files to notify you of this.
In the Check Point SmartConsole you can easily replace each of these objects by searching "export_error" in the search field, see where each object is used, create the necessary object manually, then replace it.

Instructions

Download the latest version from our GitHub repository: https://github.com/CheckPointSW/ExportImportPolicyPackage
First, make sure you have [2.7.9 <= Python <= 2.7.14] installed on the machine running the script.
To export a package, run the import_export_package.py script. An interactive menu will guide you the rest of the way.
Command line flags may also be set in order to skip some or all of the menu.
A lot more details can of course be accessed with the [-h] option. This option also prints the current version of the tool.

Limitations

This export/import script does not gather all data from a given management server/CMA.
In general, it is limited by the R8x Management APIs available on your version.
Specifically, this means:

CMAs with a Global Policy assigned cannot be exported
- Workaround: unassign the Global Policy prior to export
Gateway/Cluster objects have to be recreated
- Placeholder objects will be created
UserCheck messages have to be recreated
- Placeholder objects will be created
The Internal Certificate Authority will not be copied. This means:
- Re-establishing SIC with the appropriate gateways
- Re-generating VPN certificates
- Manually recreating HTTPS Inspection and DLP Rules
Other objects not currently readable/writable via the R8x API will not be copied

Tested on version

R8x
Releases earlier than R80 lack the necessary API support and are not supported.

Source Code Availability

The source code is available through GitHub: https://github.com/CheckPointSW/ExportImportPolicyPackage

FAQ

Replies to this thread have locked.
Please refer to the FAQ below before you create a new post with your question.

When I run this tool, I get the message: APIResponse received a response which is not a valid JSON.

This most likely means you haven't enabled the API server yet.
See: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Enabling-web-api/m-p/32641

I get an error message related to server fingerprint

Use the --unsafe option to ignore this error.

Can this tool export more than one policy package at a time?

Not currently, but you could call the tool in a script multiple times.

Re: Python tool for exporting/importing a policy package or parts of it

Robert_Decker — Sun, 27 Aug 2017 13:04:52 GMT

This source code is now an open source on GitHub repository:

GitHub - CheckPoint-APIs-Team/ExportImportPolicyPackage

Re: Python tool for exporting/importing a policy package or parts of it

Julien_Tissot — Wed, 30 Aug 2017 05:21:05 GMT

Hello,

Is there a way to export all packages from 1 domain instead of exporting each package 1 by 1?

Thank you,

Julien

Re: Python tool for exporting/importing a policy package or parts of it

Adam_Galmor — Wed, 30 Aug 2017 06:21:28 GMT

At the moment no, but it might be added in the near future.

Re: Python tool for exporting/importing a policy package or parts of it

Julien_Tissot — Wed, 30 Aug 2017 15:03:44 GMT

Hello!

I have an error when there is a special character (in my case 'é' or 'è' or others) in the rule name. Is there a way to just ignore this character but to let the export continue? The logs are attached

Thanks you

Julien

----------------------------------------------------------------------------

Retrieved 384 out of 384 rules (100%)

Traceback (most recent call last):
File "import_export_package.py", line 44, in <module>
    export_package(client, args)
File "/import_export_V2.0/exporting/export_package.py", line 38, in export_package
    = export_access_rulebase(access_layer["name"], client, timestamp, tar_file)
File "/import_export_V2.0/exporting/export_access_rulebase.py", line 16, in export_access_rulebase
    get_query_rulebase_data(client, "access-rulebase", {"name": layer})
File "/import_export_V2.0/exporting/export_objects.py", line 122, in get_query_rulebase_data
    rulebase_item else "???", rule["name"] if "name" in rule else "")
UnicodeEncodeError: 'ascii' codec can't encode character u'\xe9' in position 7: ordinal not in range(128)

Re: Python tool for exporting/importing a policy package or parts of it

OliviaMocellini — Mon, 11 Sep 2017 16:48:02 GMT

Hi guys,

I'm trying to make an export by running this utility but don't get what should I put as the package name, because from what I'm seeing it's not the the name that the policy has on the SMS server.

Thanks in advance!

Re: Python tool for exporting/importing a policy package or parts of it

Robert_Decker — Tue, 12 Sep 2017 09:11:33 GMT

Hi Julien,

Our team will check this problem and update the community once resolved.

Robert.

Re: Python tool for exporting/importing a policy package or parts of it

Robert_Decker — Tue, 12 Sep 2017 09:13:19 GMT

Hi Olivia,

Our team will check this problem and update the community once resolved.

Robert.

Re: Python tool for exporting/importing a policy package or parts of it

Shoham_Halevi — Tue, 12 Sep 2017 12:17:39 GMT

Hi Olivia,

You're supposed to put the name of the policy package as seen here:

If that doesn't help, please explain further what you are trying to do and how, and what is the output of the tool?

Shoham

Re: Python tool for exporting/importing a policy package or parts of it

Shoham_Halevi — Wed, 13 Sep 2017 09:26:38 GMT

Hi Julien,

The issue should be fixed now, reclone the repo and try again.

If there are any further issues, please tell us.

Shoham

Re: Python tool for exporting/importing a policy package or parts of it

Ivo_Hrbacek — Fri, 15 Sep 2017 20:14:55 GMT

Hello Adam and guys,

did some testing and here are my findings:

case 1:

not possible to import objects with tags, looks its a problem with exported data and parameters tags.0.X

debug msg:
Failed to import network with name [net_SIP-provider-broadsoft_XXXXX_21]. Error: Invalid parameter for [tags]. Invalid value

json data:
{
"subnet4": "XXX",
"nat-settings.auto-rule": false,
"color": "black",
"comments": "",
"name": "net_SIP-provider-broadsoft_XXX",
"broadcast": "allow",
"tags.0.name": "PUBLIC-INTERNET-LAB",
"mask-length4": 21,
"tags.0.comments": "",
"tags.0.color": "black",
"tags.0.type": "tag"
}

csv data:
broadcast,color,comments,mask-length4,mask-length6,name,nat-settings.auto-rule,nat-settings.hide-behind,nat-settings.install-on,nat-settings.ipv4-address,nat-settings.ipv6-address,nat-settings.method,subnet4,subnet6,tags.0.color,tags.0.comments,tags.0.name,tags.0.type,tags.1.color,tags.1.comments,tags.1.name,tags.1.type
allow,black,,21,,net_SIP-provider-broadsoft_x.x.x.x_21,false,,,,,,x.x.x.X,,black,,PUBLIC-INTERNET-LAB,tag,,,,

####

case2:

having two ordered layers Network and App on source mgmt - in Network layer I have rules where are defined inline layers - looks code does not count with this and all inline layers are loaded as ordered layers

debug msg:

IN ad OUT rules are defined with action inline layer
Failed to import access-rule with name [INT]. Error: Request for Apply Layer may not change Action Settings or User Check parameters
Failed to import access-rule with name [OUT]. Error: Request for Apply Layer may not change Action Settings or User Check parameters
Failed to import access-rule with name [INT]. Error: Request for Apply Layer may not change Action Settings or User Check parameters
Failed to import access-rule with name [OUT]. Error: Request for Apply Layer may not change Action Settings or User Check parameters

###

case3:

data export/import for non r80.10 gw is bad, I have few 1450 boxes -77.20 emdededGaia and look for definition below in json ->

{
"bladesInfo.1.sortOrder": 3,
"versionName": "R77.20",
"bladesInfo.4.comments": null,
"ipv4-address": "81.91.220.11",
"bladesInfo.5.sortOrder": 14,
"bladesInfo.6.sortOrder": 15,
"bladesInfo.5.display-name": "IPS",
"bladesInfo.3.comments": null,
"bladesInfo.6.comments": null,
"bladesInfo.1.customFields": null,
"bladesInfo.5.bladeCategory": "threat blades",
"bladesInfo.6.bladeState.changeable": false,
"bladesInfo.7.comments": null,
"bladesInfo.3.bladeCategory": "access blades",
"bladesInfo.5.bladeState.activationState": "on",
"bladesInfo.1.bladeState.valid": false,
"bladesInfo.7.bladeCategory": "threat blades",
"bladesInfo.4.display-name": "QoS",
"name": "partial_export_error_simple-gateway_86fc2467-e0a1-4db3-8efc-c50996c4ccf4_XXX",
"bladesInfo.0.bladeState.changeable": false,
"bladesInfo.5.bladeState.valid": false,
"bladesInfo.0.customFields": null,
"bladesInfo.4.name": null,
"bladesInfo.3.bladeState.changeable": false,
"macAddress": "",
"sicExists": true,
"bladesInfo.4.sortOrder": 9,
"bladesInfo.7.display-name": "Anti-Virus",
"bladesInfo.0.sortOrder": 0,
"bladesInfo.2.bladeState.changeable": false,
"accessLicense": false,
"bladesInfo.3.bladeState.activationState": "on",
"comments": "",
"bladesInfo.5.comments": null,
"bladesInfo.7.customFields": null,
"bladesInfo.2.comments": null,
"bladesInfo.6.name": null,
"bladesInfo.1.name": null,
"bladesInfo.5.customFields": null,
"bladesInfo.7.bladeState.activationState": "on",
"bladesInfo.6.customFields": null,
"osName": "Gaia Embedded",
"bladesInfo.0.bladeState.valid": false,
"bladesInfo.3.customFields": null,
"bladesInfo.7.bladeState.changeable": false,
"bladesInfo.7.sortOrder": 16,
"bladesInfo.4.customFields": null,
"color": "black",
"bladesInfo.6.bladeState.valid": false,
"bladesInfo.1.bladeState.activationState": "on",
"bladesInfo.4.bladeState.changeable": false,
"connectionState": "communicating",
"primaryManagement": false,
"bladesInfo.4.bladeState.valid": false,
"bladesInfo.4.bladeState.activationState": "on",
"bladesInfo.7.name": null,
"bladesInfo.3.name": null,
"bladesInfo.1.bladeState.changeable": false,
"bladesInfo.2.sortOrder": 4,
"natSummaryText": "None",
"customFields": null,
"bladesInfo.2.display-name": "URL Filtering",
"bladesInfo.1.display-name": "Application Control",
"proxyAddress": "Default Proxy Settings",
"bladesInfo.3.sortOrder": 7,
"bladesInfo.2.customFields": null,
"bladesInfo.3.bladeState.valid": false,
"bladesInfo.2.name": null,
"bladesInfo.6.display-name": "Anti-Bot",
"bladesInfo.6.bladeCategory": "threat blades",
"overallStatus": true,
"bladesInfo.0.display-name": "Firewall",
"bladesInfo.0.name": null,
"bladesInfo.5.bladeState.changeable": false,
"bladesInfo.2.bladeState.valid": false,
"licenseSKU": "CPSG-EVAL-P1207-30/1",
"bladesInfo.6.bladeState.activationState": "on",
"bladesInfo.2.bladeCategory": "access blades",
"bladesInfo.4.bladeCategory": "access blades",
"bladesInfo.1.bladeCategory": "access blades",
"bladeMgmtWorkflowOn": false,
"bladesInfo.2.bladeState.activationState": "on",
"bladesInfo.5.name": null,
"bladesInfo.0.bladeCategory": "access blades",
"display-name": "",
"bladesInfo.3.display-name": "Identity Awareness",
"bladesInfo.0.comments": null,
"hwName": "1100 Appliances",
"bladesInfo.0.bladeState.activationState": "on",
"bladesInfo.7.bladeState.valid": false,
"ipv6-address": "",
"bladesInfo.1.comments": null,
"threatLicense": false

for example "hwName": "1100 Appliances" does not seems to be correct
1450 are not imported and I have these logs:
Failed to import simple-gateway with name [partial_export_error_simple-gateway_d992da76-783b-4f50-ae1f-327701158bf0_XXX]. Error: Unrecognized parameter [natSummaryText]

thx

ivo

Re: Python tool for exporting/importing a policy package or parts of it

Shoham_Halevi — Mon, 18 Sep 2017 08:38:17 GMT

Hi Ivo,

I tried reproducing your first and second problems, but couldn't. Make sure you are on the latest version of the tool (clone it from the GitHub link above). If the problem persists, please reply with more details so I can reproduce the problem on my side.

This tool works for exporting/importing from R80.10 machines to R80.10 machines, nothing before, as there is no API support. So you can't export from or import to R77.20 machines.

Shoham

Re: Python tool for exporting/importing a policy package or parts of it

Ivo_Hrbacek — Mon, 18 Sep 2017 09:02:06 GMT

Hi there,

I have latest version.. is there a way how I can share with you exported data?

I understand its for exporting from/to R80.10 machine, but event R80.10 mgmt can orchestrate r77.x gateways.. specially 1400 boxes could be there since its just 77.20.x.x or something like that and those machines are normally in R80.10 database so why they should not be exported to another R80.10 machine?

ivo

Re: Python tool for exporting/importing a policy package or parts of it

OliviaMocellini — Mon, 25 Sep 2017 13:52:18 GMT

Thanks! it seems I had wrong typed the policy name many times!

Re: Python tool for exporting/importing a policy package or parts of it

OliviaMocellini — Mon, 25 Sep 2017 13:53:30 GMT

Thanks, resolved, package name was a typo.

Re: Python tool for exporting/importing a policy package or parts of it

Borut — Wed, 25 Oct 2017 11:05:08 GMT

I'm not successful with the tool. Trying to export the configuration from R80.10 mgmt.

python import_export_package.py -m x.x.x.x -op export -n Lab -o conf.out -u xxxxyyyyyy -p xxxxyyyyy --all

Traceback (most recent call last):
File "import_export_package.py", line 30, in <module>
payload={"read-only": "true" if args.operation == "export" else "false"})
File "/cygdrive/d/Python scripts/ExportImportPolicyPackage-master/cp_mgmt_api_python_sdk/lib/mgmt_api.py", line 154, in login
login_res = self.api_call("login", credentials)
File "/cygdrive/d/Python scripts/ExportImportPolicyPackage-master/cp_mgmt_api_python_sdk/lib/mgmt_api.py", line 225, in api_call
self.check_fingerprint()
File "/cygdrive/d/Python scripts/ExportImportPolicyPackage-master/cp_mgmt_api_python_sdk/lib/mgmt_api.py", line 522, in check_fingerprint
server_fingerprint = self.get_server_fingerprint()
File "/cygdrive/d/Python scripts/ExportImportPolicyPackage-master/cp_mgmt_api_python_sdk/lib/mgmt_api.py", line 414, in get_server_fingerprint
context = ssl.create_default_context()
AttributeError: 'module' object has no attribute 'create_default_context'

What am I doing wrong?

Best regards

Re: Python tool for exporting/importing a policy package or parts of it

Robert_Decker — Thu, 02 Nov 2017 09:16:25 GMT

Which version of python are you using?

It should be at least 2.7.9...

Re: Python tool for exporting/importing a policy package or parts of it

Borut — Mon, 06 Nov 2017 12:24:42 GMT

2.7.14.

Re: Python tool for exporting/importing a policy package or parts of it

Borut — Tue, 07 Nov 2017 11:10:59 GMT

I managed to resolve the issue. First I tried with python 2.7.9. and didn't get the error message anymore, but got this one:

Login to management server failed. lib::APIResponse
{
"data": null,
"error_message": "APIResponse received a response which is not a valid JSON.",
"res_obj": {},
"status_code": 403,
"success": false
}

The solution was to enable API access from all IP's.

Re: Python tool for exporting/importing a policy package or parts of it

Borut — Tue, 07 Nov 2017 11:11:54 GMT

Now that the export is done, does anyone have a suggestion for a bulk rename of the objects/networks before importing?

Also, I can't seem to find NAT rules in the export files.